Clamav modules still disabled even though security issues are fixed

Bug #317923 reported by Scott Kitterman
256
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
High
Unassigned
Dapper
High
Unassigned
Gutsy
High
Unassigned
Hardy
High
Unassigned

Bug Description

Binary package hint: clamav

We've patched the security issues in 0.92.1, but not re-enabled the relevant modules. Upstream has included and I've backported the patch.

Revision history for this message
Scott Kitterman (kitterman) wrote :
Download full text (5.9 KiB)

Here's the debug output showing the same modules enabled as we get in 0.94.whicheveronewe'reonnow.

LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug: * Submodule PARITE: On
LibClamAV debug: * Submodule KRIZ: On
LibClamAV debug: * Submodule MAGISTR: On
LibClamAV debug: * Submodule POLIPOS: On
LibClamAV debug: * Submodule MD5SECT: On
LibClamAV debug: * Submodule UPX: On
LibClamAV debug: * Submodule FSG: On
LibClamAV debug: * Submodule PETITE: On
LibClamAV debug: * Submodule PESPIN: On
LibClamAV debug: * Submodule YC: On
LibClamAV debug: * Submodule WWPACK: On
LibClamAV debug: * Submodule NSPACK: On
LibClamAV debug: * Submodule MEW: On
LibClamAV debug: * Submodule UPACK: On
LibClamAV debug: * Submodule ASPACK: On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug: * Submodule RAR: On
LibClamAV debug: * Submodule ZIP: On
LibClamAV debug: * Submodule GZIP: On
LibClamAV debug: * Submodule BZIP: On
LibClamAV debug: * Submodule ARJ: On ...

Read more...

Revision history for this message
Scott Kitterman (kitterman) wrote :

Debdiff verified in a Hardy chroot. Did not run the regression tests.

Changed in clamav:
importance: Undecided → High
status: New → Triaged
Changed in clamav:
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
Revision history for this message
Scott Kitterman (kitterman) wrote :

Working on Gutsy/Dapper. This bug will apply to Intrepid/Jaunty as soon as 0.95 is released.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Added closes in changelog and renamed debdiff to include release name.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Debdiff for Gutsy. Also includes work from Bug #271546 not previously uploaded

Revision history for this message
Scott Kitterman (kitterman) wrote :

Debdiff for Dapper. Also includes work from Bug #271546 not previously uploaded

Changed in clamav:
status: Triaged → In Progress
status: Triaged → In Progress
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks Scott. I've uploaded these to the security PPA and they will be published on Monday.

Changed in clamav:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1~gutsy3.1ubuntu2

---------------
clamav (0.92.1~dfsg2-1.1~gutsy3.1ubuntu2) gutsy-security; urgency=low

  [ Leonel Nunez ]
  * SECURITY UPDATE:
  * [CVE-2008-5314]: remote attack by sending a specially crafted JPEG file
    libclamav/special.c, libclamav/special.h, libclamav/scanners.c
  * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: out-of-memory
    null dereferences
  * [CVE-2008-3914]: libclamav/htmlnorm.c, libclamav/others.c,
    libclamav/sis.c: fd leaks
  * [CVE-2008-3913]: freshclam/manager.c: memory leaks
  * added 29_CVE-2008-3912.dpatch 30_CVE-2008-3913.dpatch
     32_cli_check_jpeg_exploit.dpatch 31_CVE-2008-3914.dpatch
  * References: LP #271546, #304017

  [ Scott Kitterman ]
  * SECURITY UPDATE: re-enable modules disabled due to resolved security
    deficiencies:
  * References: Clamav svn commit 4550 LP: #317923

 -- Scott Kitterman <email address hidden> Sat, 17 Jan 2009 23:57:18 -0500

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1ubuntu0.5

---------------
clamav (0.92.1~dfsg2-1.1ubuntu0.5) hardy-security; urgency=low

  * SECURITY UPDATE: re-enable modules disabled due to resolved security
    deficiencies:
  * References
  * Clamav svn commit 4550 LP: #317923

 -- Scott Kitterman <email address hidden> Fri, 16 Jan 2009 02:07:38 -0500

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

clamav (0.92.1~dfsg2-1.1~dapper3.3) dapper-security; urgency=low

  [ Leonel Nunez ]
  * SECURITY UPDATE:
  * [CVE-2008-5314]: remote attack by sending a specially crafted JPEG
    file
    libclamav/special.c, libclamav/special.h, libclamav/scanners.c
  * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c:
    out-of-memory null dereferences
  * [CVE-2008-3914]: libclamav/htmlnorm.c, libclamav/others.c,
    libclamav/sis.c: fd leaks
  * [CVE-2008-3913]: freshclam/manager.c: memory leaks
  * added 29_CVE-2008-3912.dpatch 30_CVE-2008-3913.dpatch
     32_cli_check_jpeg_exploit.dpatch 31_CVE-2008-3914.dpatch
  * References: LP #271546, #304017

  [ Scott Kitterman ]
  * SECURITY UPDATE: re-enable modules disabled due to resolved security
    deficiencies:
  * References: Clamav svn commit 4550, LP #317923

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

All of these issues are fixed in Intrepid and higher.

Changed in clamav:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers